EXPLOITING EMBEDDED SYSTEMS THE SEQUEL!

More documents

Recommendations

Info

Injector 2.0• Monitors HTTP downloads• Injects and modifies PE header of executabledownload• Executes original executable and appendedexecutable• Only one packet required to infect executable• Injector will run on any ARM based routerCopyright © 2007 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 40
Injector 2.0• Watch for downloads over port 80• Check for executable download (check for MZheader)• Is executable a PE file?• Inject payload into DOS stub• Redirect PE entry-point to DOS stub• Change BaseOfCode in PE header so no DEPwarnings• Re-checksum TCP packetCopyright © 2007 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 41
Page 1 and 2: EXPLOITING EMBEDDEDSYSTEMSTHE SEQUE
Page 3 and 4: Embedded Architectures• MIPS and
Page 5 and 6: The ARM Architecture• RISC based
Page 7 and 8: The BDI2000JTAG Support for:• MIP
Page 9 and 10: The JTAG Interface - ARM/XSCALE•
Page 11 and 12: The Serial Interface• Support for
Page 13 and 14: Locating the JTAG pointsTypical sce
Page 15 and 16: Connecting the BDI2000Copyright ©
Page 17 and 18: Defeating the Watchdog• Software
Page 19 and 20: Debugging and Reversing• Flash on
Page 21 and 22: Debugging and Reversing• Decrypte
Page 23 and 24: New Attack Classes• Exploitable N
Page 25 and 26: New Attack Classes - Vector Rewrite
Page 27 and 28: New Attack Classes - Prevention•
Page 29 and 30: System-On-Chip Designs• Many chip
Page 31 and 32: Exploitation (ARM)• The ARM proce
Page 33 and 34: ExploitationTwo Step Exploitation1
Page 35 and 36: Exploitation (ARM)Set remote config
Page 37 and 38: Exploitation• Successful exploit
Page 39: Firmware PatchConsiderations:• Ne
Page 43 and 44: Exploit DemonstrationDEMO!Copyright
Page 45 and 46: Summary• Security flaws are abund

EXPLOITING EMBEDDED SYSTEMS THE SEQUEL!

Create successful ePaper yourself

Delete template?

Save as template?